Re: How to suppress VPN alarms while tunnel not in use

handsy · ‎08-27-2020

I have a number of IKEv2 Site-to-Site tunnels on my ASA. Some of them are only brought up when we want them to be and we have a script that deletes a route and clears the IPSEC SA when they are not in use.

The problem I have is that when we do this, the logs flood with hundreds of entries per minute with up/down alarms (750002, 750006, 750007, 751022 and 113019) for those tunnels.

Is there a way of suppressing those alarms while we are preventing access? Perhaps there is a better way to remove certain config that would stop the alarms, rather than us deleting the route and clearing the SA?

Any tips/advice welcome!

Rob Ingram · ‎08-27-2020

Hi,

You could remove those alerts, but then you'd not recieve them for other tunnels. It might be bette to remove the crypto map configuration, such as remove the peer or ACL reference.

no crypto map CM 10 match address R1_VPN 
OR
no crypto map CM 10 set peer 1.1.1.1

HTH

handsy · ‎08-28-2020

Thanks for the tips but that hasn't helped either. I even went as far as removing the tunnel config but still ended up getting constant 750002 and 751002 messages

Anyone else got any thoughts?

Rob Ingram · ‎08-28-2020

Ah ok, it looks like 750002 relates to an inbound SA initiation request, so your peer is attempting to establish the tunnel.

You could apply a control-plane ACL on the outside interface, denying udp/500, esp from the peers you do not wish to establish a tunnel and permitting all else.